ISPs Give 'Netflow Data' To Third Parties, Who Sell It Without User Awareness Or Consent
from the more-of-the-same dept
Back around 2007 or so there was a bit of a ruckus when broadband ISPs were found to be selling your "clickstream" data (which sites you visit and how long you're there) to any nitwit with a nickel, then basically denying they were even doing that. Concerns about that now seem quaint.
In the years since, technologies like deep packet inspection have allowed ISPs to collect and sell details on every aspect of your online life, then, through obfuscation, proxies, and empty promises of "anonymization," insist they're not doing exactly that. Or, as the wireless industry's location data scandals have shown, collect and sell your daily movement habits, initially with only a fleeting concern about user privacy and security.
Now, sources in the infosec community tell Motherboard ISPs are also (again, via proxies) selling access to "netflow data." As the name suggests, netflow data details the day to day broader stroke network traffic (pdf), whether that's overall network loads, which servers are talking to one another, network topology, etc. The data is generally beneficial to researchers to understand network and user behavior, and to security experts to help mitigate network attacks. But it's also valuable, and increasingly, it's being offloaded to businesses who are then turning around and selling it:
"I'm concerned that netflow data being offered for commercial purposes is a path to a dark fucking place," one source familiar with the data told Motherboard. Motherboard granted multiple sources anonymity to speak more candidly about industry issues."
Recall that modest FCC broadband privacy rules designed to give users a little more transparency into this stuff were killed by the GOP in 2017 (using the Congressional Review Act at telecom industry behest) before they could even take effect. And recall that, thanks to a cross-industry coalition of lobbyists, the United States still doesn't have even a basic privacy law for the internet era. As a result, any shred of data that can be collected and sold is, securing that data is often an afterthought, and consumers more often than not have absolutely no transparency into anything.
The data provides comprehensive insight into not just what's happening on the originating ISPs network, but everybody's network, including what data is being pushed through VPNs. ISPs offload this data to security vendors in exchange for security threat analysis work. Those vendors then turn around and act as data brokers, selling access to this data to a wide variety of third parties... without consumer awareness or consent. ISPs then can tell reporters "we don't sell access to user data" because, technically, they aren't directly "selling" it:
"The continued sale of sensitive data could present its own privacy and security concerns, and the news highlights that ISPs are providing this data at scale to third parties likely without the informed consent of their own users.
"The users almost certainly don't [know]" their data is being provided to Team Cymru, who then sells access to it, the source familiar with the data said.
Again, there's always a lot of hand-wringing about the potential impossibility of privacy legislation given the potential for harm. But it remains entirely possible to craft comprehensive, basic federal rules that, at the very least, mandate absolute transparency with the end user. Instead of doing what we've created with a wild west like ecosystem of app makers, phone makers, software giants, telecoms and others selling every shred of data they can find, often failing to adequately secure it, and with consumer protection (or even awareness) a distant, belated afterthought.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: broadband, clickstream data, fcc, isps, netflow data, privacy
Reader Comments
Subscribe: RSS
View by: Time | Thread
Pay for some privacy
And this is why I use a VPN and certain add-on's to my browser. Sucks that there is a need to do this sort of thing.
[ link to this | view in chronology ]
Re: Pay for some privacy
Daily reminder that a VPN is just an ISP that says they don't log data.
Unless you are physically controlling a cable directly between any two endpoints, your traffic is never guaranteed to be completely private.
[ link to this | view in chronology ]
Re: Pay for some privacy
Against somebody with a broad enough view of Netflow, VPNs don't do anything. The article is talking about Cymru, and if I wanted to name anybody outside of government spies who might have that kind of broad view, it would be them. They've been doing deals to get data for ages. In fact the article specifically mentions deanonymizing VPN traffic.
I've seen people at least claim to have deanonymized even Tor flows, although they were relatively big, conspicuous flows.
Plus, of course, you're putting total trust in the VPN.
[ link to this | view in chronology ]
Re: Pay for some privacy
Unless you have a program to encrypt from your computer to a VPN, and Its still being monitored To the VPN, as it goes back and forth, unencrypted.
With encoding, the stronger it is, the SLOWER your VPN and your computer.
[ link to this | view in chronology ]
I sure hope that NO ONE is going to use this data maliciously...
Oh, who am I kidding, Russia and China are probably gonna use this to crash Internet Infrastructure in the US and far, far worse
[ link to this | view in chronology ]
How is it with all of this money they are pulling in selling our data to anyone with a dollar is it are our bills are so damn high?
[ link to this | view in chronology ]
Re:
Because corporations don't want to make some of the money. They want to make all of the money.
[ link to this | view in chronology ]
For all the ways
That tese corps make money of of us. It gets real silly, on their side, That most of the corps have our Data anyway. Including Overseas.
We know our gov. is monitoring us, which is abit silly, but from What location? Is the ISP the one doing all this work? Because then they would be getting very good money, and all this should be Allot cheaper, as we are paying with our taxes. If the gov. has enough people and programs to Monitor even 1/2 of the chats and forums, that is even More money we are paying in taxes. And then we can consider all the Grants given to the corps to get things Done, and still Not done over the past 20 years. Still it is our taxes. And I still wonder about the backbone, and if it has been fully upgraded.
[ link to this | view in chronology ]
... right?
No worries, I'm sure that with the political pressure that has been aimed at the likes of Facebook and Google relating to user privacy those same politicians will be falling over themselves to give similar treatment to ISP's, dragging them over the coals for excessive data gathering and misuse of that data and threatening them with regulation if they don't toe the line and respect user privacy.
Any day now...
[ link to this | view in chronology ]
ISPs to blame as usual but now proven to be pulling others in with them! Anything to be able to continue screwing and milking customers! About time those in Congress actually stood up to be counted rather than than keep shrinking into the woodwork
[ link to this | view in chronology ]
Wait, what? Team Cymru is one of the gigs that sells this data? i am rather deeply saddened by that.
We specialize in threat-analysis, so we get this data in exchange for doing analyses, then... make the data available to whoever the hell. Good job!
Sad, sad, sad.
[ link to this | view in chronology ]
It may sound cynical, but this feels entirely intended.
When anyone who feels "hurt", or "insulted", or "defamed", all they would need to do is find a broker who could sell them sufficient access to combine a twitter timestamp (over a broad period and number of tweets, granted), to pinpoint a source.
Looking at you Devin!
Even with whitenoise apps to attempt to blanket out frame sizes or timings, it could very plausibly used to find who tweeted, who visited, who uploaded whatever content you wish to obliviate, and then never have to publicly announce how you came to your determination.
A simple law would prevent that (obviously, with various caveats for national security, but it would need to be heavily caveated to prevent governmental abuse). But they're not interested in such things.
Why cut off your nose when you can sniff out a mean person who insults your delicate sensibilities.
[ link to this | view in chronology ]
Whats to stop a bad imposter from accessing this data to find backup repositories, or cross cloud databases, from discovering hidden servers, ones not directly addressable via public DNS in order to attack something that may not be as well defended as publicly known servers.
At my firm, we use proxies to hide our infrastructure addresses, and we continually rotate IPs, yet we still get attempts to access our servers, sometimes minutes after a rotation.
This has shown a potential route that is being used to find them.
[ link to this | view in chronology ]
Re:
You ignore random ip surfing.
It doesn’t take long to cycle through pre 6 addresses.
[ link to this | view in chronology ]
Re:
IPv4 address ranges are so small that it is effective to simply scan them all. Not having a DNS name for a host doesn't give any protection. IP rotation will happen in same address pool, it is very trivial to find the hosts even with new addresses.
[ link to this | view in chronology ]
Question
What are they actually getting from this stuff that can be directly privacy related?
Is it that someone visits a porn site or that a specific person did.
While I generally don’t care some do. Is this any different than cookie data I supply when I allow cross site tracking for relevant advertising?
Or is this an actual case of personal privacy!
I can’t get from this (and hundreds of other) article what data these profiles contain that is related to an individual.
[ link to this | view in chronology ]
Re: Question
Netflow doesn't include anything about user, it doesn't include data samples, it is just when/duration/from/to type of data.
[ link to this | view in chronology ]